Adding Web Sites that Support SSL Traffic

Created at:
Avatar
Updated
  1. Log in to your my.incapsula.com account.

    mceclip0.png

    Note: If you have already added a site to your Imperva Cloud WAF account and want to add an additional site, go to the Management Console Websites page and click Add Site.

  2. In the 'Add Website' field, enter the full domain name (including the subdomain prefix, such as www) of your site. For example, www.yourdomain.com.

mceclip1.png

  1. Click + Add Website. The following is displayed, showing information automatically collected by Cloud WAF about your site:

mceclip4.png

Cloud WAF will automatically identify when websites that support SSL traffic (HTTPS) are added to the service.

Note: If SSL support was not detected, you can contact support for further assistance.

 

Step 2: Configure SSL support for secure sites

Click the Continue button. The following is displayed, illustrating how SSL protection works throughout the chain of communication to your site.

mceclip3.png

Cloud WAF acts as an HTTPS proxy and terminates connections in front of the end-users. For this reason, a second SSL certificate (or actually multiple copies of the same certificate) needs to be installed on the Cloud WAF proxy servers, in addition to the one already installed on the origin servers. This certificate is the one that is visible to the end-users.

There are two alternatives for installing SSL certificates on the Cloud WAF proxy servers:

  1. The default method is having Cloud WAF generate a new certificate for the domain. The Certificate Authorities that generate these certificates for Cloud WAF are required to validate the customer’s ownership of the domain, a process that usually takes just a few minutes.
  2. An alternative method involves uploading a custom certificate. Since this certificate only serves SNI-supporting clients, most customers are also usually required to generate an Imperva certificate for the site (which is used for all non SNI-supporting clients).

Note: At any stage during the registration procedure, you can click the 'I don’t want SSL' button. If you choose this option, Cloud WAF will not generate a certificate for this site. It is possible at a later stage to configure a certificate for the site directly from the site settings. In such a case new DNS instructions will be provided and DNS records will have to be configured accordingly.

Request an Imperva Certificate

  1. Click the Let’s start button. The following is displayed:mceclip5.png

  2. The Certificate Authority is required to validate ownership of the domain using one of the following methods:

  • Issuing A New SSL Certificate for Your Website:

After website ownership has been validated, Cloud WAF starts the process of issuing a new SSL certificate for the site.

The process is typically completed after a few minutes. A message pops up indicating that the certificate was issued successfully (you do not have to remain in this window).

 
Note:

While waiting for the certificate to be issued, the site continues to be available as it was previously. Traffic is not yet being diverted through Cloud WAF. After the certificate is ready, you will receive DNS instructions for onboarding the Cloud WAF.

If for any reason, the issuing of this new SSL certificate is not completed promptly, a message is displayed and you will receive an email notification when the certificate is issued.

 

Upload a custom certificate:

(Optional) To upload a custom certificate, complete the process described above to request an Imperva Certificate, and then follow the instructions on Upload a Custom Certificate for Your Website on Incapsula.

 
 

Cloud WAF SSL Support - Frequently Asked Question

Q: Do I need to purchase SSL certificate, when onboarding Cloud WAF?
A: Absolutely not. We provide the certificate at no extra cost.

Q: Do I need to surrender my Private Key to Cloud WAF?
A: No.

Q: What port do you use for SSL traffic and can I use another port?
A: The default SSL port is 443 and yes, Enterprise customers may use custom ports but you’ll need to contact our support.

Q: I didn’t receive the verification e-mail.
A: Check your “Spam” folder and if it’s not there, contact our support for further assistance.

Q: I have an EV certificate and I want to keep using it, what can I do? 
A: Imperva's Cloud WAF Enterprise and Business Plus plans fully support EV certificates.

Q: How do I add SSL support, if I didn’t have SSL when I first activated Cloud WAF?
A: Even after the initial site’s setup we will continue to monitor your SSL support so the system should detect this automatically. When this happens, new SSL controls will auto-appear in your ‘Settings’ screen and you can use them to add your new certificate. Also, you can always contact our support and we will be glad to help out.

 

 

 

Was this article helpful?
13 out of 13 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Martin

    Here you say "Within 24 hours from adding the web site you will receive an e-mail from GlobalSign" whereas on Certificat status it is mentioned "Validation email will be sent to x@x in a few minutes". There's quite a gap between a few minutes and 1440 :)

  • Avatar
    Bipin

    Need help on configuring SSL based domain. While adding the domain, it is not detecting the HTTPS protocol.
    Also, post adding the domain, we checked manually and not able to detect the SSL and getting the error as "An unclassified error is preventing us from detecting SSL on "www.hdfcbankallmiles.com"

    Edited by Bipin
  • Avatar
    Farhan

    Getting the same "An unclassified error is preventing us from detecting SSL" error during SSL detection.

    It gets better though. If SSL is actually detected there are multiple issue with cert configuration.

    The cert issuance during initial site configuration barely works. Broken for two of our sites right now.

    The cert configuration after initial site configuration does not provide the DNS TXT record verification method. It only provides the email based verification which, again, is more than intermittently broken.

Powered by Zendesk